Replace the Full HTML format with Basic HTML

What are the security concerns? Even with full HTML I didn't think iframe or inline scripts are allowed

It does not seems like that FullHTML format set by full_html_format_editor recipe limits the allowed tags by default (https://api.drupal.org/api/drupal/core%21recipes%21full_html_format_edit...). So even if the iframe is not in the ckeditor toolbar, it still seems to be allowed by default (if I have not missed anything).

I ask, because I'm pretty sure Drupal still prevents it. Has anyone tested? Once upon a time in D7 it was an absolute pain to allow iframe and script. Unfortunately that was an actual requirement

@mglaman: I don't know the details of the potential security concerns, because I am frankly indifferent to what these formats do.

But...I have definitely had multiple people raise it as a concern, and there seems to be (anecdotally) a strong likelihood that core committers reviewing Drupal CMS will find the lack of HTML restrictions to be a problem. Pam told me that other CMSes also limit allowed HTML tags, so it doesn't sound like we'd be doing anything especially weird by shipping Basic HTML instead of Full HTML.

So although I'm very open to making changes later and widening what's allowed, falling back to Basic HTML seems prudent in the near term, given the discomfort some folks, who actually build sites for a living (I don't :) seem to feel about it. That's where I'm coming from anyway.

will find the lack of HTML restrictions to be a problem

Totally agree. It's just, as you said, all anecdotal.

See https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/edito... which defines dangerous tags and the limited HTML extends

I'm just curious what are the dangerous HTML tags folks are worried about. And if they even work if CKEditor doesn't have a provided plugin supporting them

When building the Acquia DAM CKEditor 5 integration, the allowed HTML setting seemed disconnected, as in it didn't matter unless a CKEditor plugin supported the tag.

I don't need to die on this hill. I'm just trying to call out that Drupal already has pretty safe limits already and most may not be aware.

I have not tested it on Drupal CMS, but on Simplytest.me with Drupal 10.3.6 - if you put <script>alert("TEST");</script> to the body with full HTML format, it is not filtered and the alert appears once the node is displayed.

Good enough of an answer for me! Maybe that dangerous tags tidbit prevents it from running in the editor only 🤔

Let's definitely lock it down. Thanks for entertaining my questions.

Assigning to @pameeela for final sign-off on this.

LGTM, left a comment about a seemingly random ddev change but otherwise all good!

Replied, restoring RTBC.

Bam! Merged into 0.x. Thanks for the input everyone!

@phenaproxima my bad but I wasn't RTBCing this one!

I guess this is fine that it went in because we can still change it, but can I request a pause on changes like this? We need to properly spec out the editor(s), using the core ones is fine for the moment but the basic HTML editor is woefully inadequate for Drupal CMS.

Gah! Sorry about that, @pameeela - I'm pretty trigger happy with the commit button, as you know. Apologies for the miscommunication.

To the rest of the world - we discussed this in Slack and decided to leave this in for now, and flesh out the Basic HTML format and editor in another issue. So no revert needed this time.

Automatically closed - issue fixed for 2 weeks with no activity.